I have a policy for the Print/Fax Protocol.  The rule is looking for a file name.  I have an exception for a keyword.  When testing this with a file containing the keyword, I still get an incident. 

It is not possible to have a policy using MetaData, such as a filename, with an exception in the content of the file when using Print/Fax.

Print/Fax is session based; it sends one page at a time to detection engine. Before starting to send a page to detection engine, it sends metadata first and then first data page, second data page etc. As evident, the metadata request does not contain any data.

Since the policy blocks all print with a keyword exception, the first metadata request always matches the rule (since it does not contain any data to match the exception) and therefore the block pop-up is seen. If there is no response rule created, then this would just be a false positive incident.